CMP-2401: Add STIG reference parser #494

yuumasato · 2024-02-27T09:31:43Z

This ensures that rules part of STIG profile contain annotations with the STIGID.

One can see the STIG references as annotation on the rule when deployed together with content from ComplianceAsCode/content#11593

$ CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11593 make deploy-local
$ oc get rule  ocp4-api-server-tls-security-profile -oyaml
...
metadata:
  annotations:
    compliance.openshift.io/image-digest: pb-ocp4vkwnn
    compliance.openshift.io/profiles: ocp4-moderate-rev-4,ocp4-stig,ocp4-high-rev-4,ocp4-stig-v1r1,ocp4-moderate,ocp4-high,ocp4-nerc-cip
    compliance.openshift.io/rule: api-server-tls-security-profile
    control.compliance.openshift.io/NIST-800-53: SC-8;SC-8(1)
    control.compliance.openshift.io/STIG: CNTR-OS-000020
    policies.open-cluster-management.io/controls: SC-8,SC-8(1),CNTR-OS-000020
    policies.open-cluster-management.io/standards: NIST-800-53,STIG
...

xiaojiey · 2024-02-29T02:57:04Z

/hold for test

xiaojiey · 2024-02-29T12:57:52Z

@yuumasato It is weird. I noticed there is stig annotation for stig in the master branch without the PR:

$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.16.0-0.nightly-2024-02-26-013420   True        False         11h     Cluster version is 4.16.0-0.nightly-2024-02-26-013420

$ oc get rule  ocp4-api-server-tls-security-profile -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp4qrc9k",
  "compliance.openshift.io/profiles": "ocp4-nerc-cip,ocp4-high-rev-4,ocp4-stig-v1r1,ocp4-moderate,ocp4-stig,ocp4-moderate-rev-4,ocp4-high",
  "compliance.openshift.io/rule": "api-server-tls-security-profile",
  "control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1)",
  "policies.open-cluster-management.io/standards": "NIST-800-53"
}

yuumasato · 2024-02-29T14:31:27Z

"compliance.openshift.io/profiles": "ocp4-nerc-cip,ocp4-high-rev-4,ocp4-stig-v1r1,ocp4-moderate,ocp4-stig,ocp4-moderate-rev-4,ocp4-high",

@xiaojiey The compliance.openshift.io/profiles annotation was added in #398, and it lists the profiles in which a rule is selected.

This PR adds the following annotations listing more specific information about the STIG requirement implemented:
control.compliance.openshift.io/STIG: CNTR-OS-000020

And extends the policies.open-cluster-management.io/controls and policies.open-cluster-management.io/standards with STIG specific data:

    policies.open-cluster-management.io/controls: SC-8,SC-8(1),CNTR-OS-000020
    policies.open-cluster-management.io/standards: NIST-800-53,STIG

vs

  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1)",
  "policies.open-cluster-management.io/standards": "NIST-800-53"

xiaojiey · 2024-03-01T07:42:10Z

Verification pass with 4.16.0-0.nightly-2024-02-29-062601:


$ utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11593
2024-03-01 15:36:10,750:INFO: Created profile bundles for ocp4, rhcos4

$ oc get rule  ocp4-api-server-tls-security-profile -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp44m6tp",
  "compliance.openshift.io/profiles": "ocp4-high,ocp4-stig,ocp4-moderate,ocp4-high-rev-4,ocp4-moderate-rev-4,ocp4-stig-v1r1,ocp4-nerc-cip",
  "compliance.openshift.io/rule": "api-server-tls-security-profile",
  "control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1)",
  "policies.open-cluster-management.io/standards": "NIST-800-53"
}
$ oc get rule  upstream-ocp4-api-server-tls-security-profile -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp46k8b6",
  "compliance.openshift.io/profiles": "upstream-ocp4-high,upstream-ocp4-stig-v1r1,upstream-ocp4-stig,upstream-ocp4-moderate-rev-4,upstream-ocp4-moderate,upstream-ocp4-nerc-cip,upstream-ocp4-high-rev-4",
  "compliance.openshift.io/rule": "api-server-tls-security-profile",
  "control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
  "control.compliance.openshift.io/STIG": "CNTR-OS-000020",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1),CNTR-OS-000020",
  "policies.open-cluster-management.io/standards": "NIST-800-53,STIG"
}

xiaojiey · 2024-03-01T07:42:18Z

/unhold

openshift-ci-robot · 2024-03-01T10:19:50Z

@yuumasato: This pull request references CMP-2401 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.16.0" version, but no target version was set.

In response to this:

This ensures that rules part of STIG profile contain annotations with the STIGID.

One can see the STIG references as annotation on the rule when deployed together with content from ComplianceAsCode/content#11593

$ CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11593 make deploy-local
$ oc get rule  ocp4-api-server-tls-security-profile -oyaml
...
metadata:
 annotations:
   compliance.openshift.io/image-digest: pb-ocp4vkwnn
   compliance.openshift.io/profiles: ocp4-moderate-rev-4,ocp4-stig,ocp4-high-rev-4,ocp4-stig-v1r1,ocp4-moderate,ocp4-high,ocp4-nerc-cip
   compliance.openshift.io/rule: api-server-tls-security-profile
   control.compliance.openshift.io/NIST-800-53: SC-8;SC-8(1)
   control.compliance.openshift.io/STIG: CNTR-OS-000020
   policies.open-cluster-management.io/controls: SC-8,SC-8(1),CNTR-OS-000020
   policies.open-cluster-management.io/standards: NIST-800-53,STIG
...

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

yuumasato · 2024-03-04T10:36:37Z

@Vincent056 @rhmdnd This should be ready for review

yuumasato · 2024-03-04T16:39:25Z

@rhmdnd @Vincent056 I have added a parser for SRGs.

When content from ComplianceAsCode/content#11647 is deployed, we can see the following annotations:

oc get rule  ocp4-api-server-tls-security-profile -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp4j6dgh",
  "compliance.openshift.io/profiles": "ocp4-moderate-rev-4,ocp4-stig-v1r1,ocp4-high-rev-4,ocp4-high,ocp4-nerc-cip,ocp4-moderate,ocp4-stig",
  "compliance.openshift.io/rule": "api-server-tls-security-profile",
  "control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
  "control.compliance.openshift.io/SRG-APP-CTR": "SRG-APP-000014-CTR-000040;SRG-APP-000560-CTR-001340",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1),SRG-APP-000014-CTR-000040,SRG-APP-000560-CTR-001340",
  "policies.open-cluster-management.io/standards": "NIST-800-53,SRG-APP-CTR"
}

Do you have any opinion on the control name SRG-APP-CTR?

xiaojiey · 2024-03-05T09:21:05Z

/hold for test

xiaojiey · 2024-03-05T13:31:02Z

Got the same result with comment #494 (comment) when content from ComplianceAsCode/content#11647 deployed

xiaojiey · 2024-03-05T13:31:10Z

/unhold

xiaojiey · 2024-03-05T13:31:22Z

/label qe-approved

rhmdnd · 2024-03-06T23:00:41Z

pkg/profileparser/profileparser.go

+	}
+	srgperr := p.registerStandard("SRG-APP-CTR",`^https://public\.cyber\.mil/stigs/downloads/\?_dl_facet_stigs=container-platform$`)
+	if srgperr != nil {
+		log.Error(nciperr, "Could not register SRG-APP-CTR reference parser") // not much we can do here..


I could see where someone reading the logs might get confused by what this means compared to STIG one above.

If they're both related to the STIG, could we use the same error message?

Oh my, you are totally correct.
Both the STIG ID CNTR-OS-XXXXXX and container SRG SRG-APP-XXXXXX-CTR-XXXXXX are found at https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=container-platform

With same URI for both the STIGIDs and SRGs, the references will be listed together under the same name STIG :

$oc get rule ocp4-api-server-tls-security-profile -o=jsonpath={.metadata.annotations} | jq -r { "compliance.openshift.io/image-digest": "pb-ocp4jm9bc", "compliance.openshift.io/profiles": "ocp4-nerc-cip,ocp4-moderate-rev-4,ocp4-high-rev-4,ocp4-high,ocp4-moderate,ocp4-stig-v1r1,ocp4-stig", "compliance.openshift.io/rule": "api-server-tls-security-profile", "control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)", "control.compliance.openshift.io/STIG": "SRG-APP-000014-CTR-000040;SRG-APP-000560-CTR-001340;CNTR-OS-000020", "policies.open-cluster-management.io/controls": "SC-8,SC-8(1),SRG-APP-000014-CTR-000040,SRG-APP-000560-CTR-001340,CNTR-OS-000020", "policies.open-cluster-management.io/standards": "NIST-800-53,STIG" }

"control.compliance.openshift.io/STIG": "SRG-APP-000014-CTR-000040;SRG-APP-000560-CTR-001340;CNTR-OS-000020",

rhmdnd · 2024-03-06T23:02:50Z

Do you have any opinion on the control name SRG-APP-CTR?

This should align with the cells in the STIG spreadsheets, right?

This ensures that rules part of STIG profile contain annotations with the STIGID.

yuumasato · 2024-03-12T16:24:47Z

Do you have any opinion on the control name SRG-APP-CTR?

This should align with the cells in the STIG spreadsheets, right?

Yes, but not necessarily.
The SRGs in each rule should match the ones in the spreadsheet, unless there were changes or bugs during generation of the spreadsheeet, and/or changes that DISA did from the spreadsheeet to the published xml.

yuumasato · 2024-03-15T17:34:07Z

@Vincent056 should be ready for review

GroceryBoyJr

lgtm

openshift-ci · 2024-04-08T17:26:30Z

@GroceryBoyJr: changing LGTM is restricted to collaborators

In response to this:

lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci · 2024-04-08T17:26:33Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: GroceryBoyJr, rhmdnd, yuumasato

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [rhmdnd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci bot requested review from rhmdnd and Vincent056 February 27, 2024 09:31

yuumasato changed the title ~~Add SITG reference parser~~ Add STIG reference parser Feb 27, 2024

openshift-ci bot added the do-not-merge/hold label Feb 29, 2024

openshift-ci bot removed the do-not-merge/hold label Mar 1, 2024

yuumasato changed the title ~~Add STIG reference parser~~ CMP-2401: Add STIG reference parser Mar 1, 2024

openshift-ci-robot added the jira/valid-reference label Mar 1, 2024

openshift-ci bot added the do-not-merge/hold label Mar 5, 2024

openshift-ci bot removed the do-not-merge/hold label Mar 5, 2024

openshift-ci bot added the qe-approved label Mar 5, 2024

rhmdnd reviewed Mar 6, 2024

View reviewed changes

yuumasato mentioned this pull request Mar 7, 2024

Add more precise URI for SRG CTR ComplianceAsCode/content#11647

Closed

Add SITG reference parser

6458b8e

This ensures that rules part of STIG profile contain annotations with the STIGID.

yuumasato force-pushed the parse_stig_references branch from 4b1088a to 6458b8e Compare March 7, 2024 15:59

rhmdnd approved these changes Mar 15, 2024

View reviewed changes

openshift-ci bot assigned rhmdnd Mar 15, 2024

openshift-ci bot added lgtm approved labels Mar 15, 2024

This comment was marked as duplicate.

Sign in to view

GroceryBoyJr approved these changes Apr 8, 2024

View reviewed changes

rhmdnd merged commit 015d0c8 into ComplianceAsCode:master Apr 8, 2024
19 of 24 checks passed

yuumasato deleted the parse_stig_references branch April 9, 2024 15:16

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CMP-2401: Add STIG reference parser #494

CMP-2401: Add STIG reference parser #494

yuumasato commented Feb 27, 2024

xiaojiey commented Feb 29, 2024

xiaojiey commented Feb 29, 2024

yuumasato commented Feb 29, 2024 •

edited

Loading

xiaojiey commented Mar 1, 2024

xiaojiey commented Mar 1, 2024

openshift-ci-robot commented Mar 1, 2024

yuumasato commented Mar 4, 2024

yuumasato commented Mar 4, 2024

xiaojiey commented Mar 5, 2024

xiaojiey commented Mar 5, 2024

xiaojiey commented Mar 5, 2024

xiaojiey commented Mar 5, 2024

rhmdnd Mar 6, 2024

yuumasato Mar 7, 2024 •

edited

Loading

yuumasato Mar 7, 2024

rhmdnd commented Mar 6, 2024

yuumasato commented Mar 12, 2024

yuumasato commented Mar 15, 2024

This comment was marked as duplicate.

GroceryBoyJr left a comment

openshift-ci bot commented Apr 8, 2024

openshift-ci bot commented Apr 8, 2024

CMP-2401: Add STIG reference parser #494

CMP-2401: Add STIG reference parser #494

Conversation

yuumasato commented Feb 27, 2024

xiaojiey commented Feb 29, 2024

xiaojiey commented Feb 29, 2024

yuumasato commented Feb 29, 2024 • edited Loading

xiaojiey commented Mar 1, 2024

xiaojiey commented Mar 1, 2024

openshift-ci-robot commented Mar 1, 2024

yuumasato commented Mar 4, 2024

yuumasato commented Mar 4, 2024

xiaojiey commented Mar 5, 2024

xiaojiey commented Mar 5, 2024

xiaojiey commented Mar 5, 2024

xiaojiey commented Mar 5, 2024

rhmdnd Mar 6, 2024

Choose a reason for hiding this comment

yuumasato Mar 7, 2024 • edited Loading

Choose a reason for hiding this comment

yuumasato Mar 7, 2024

Choose a reason for hiding this comment

rhmdnd commented Mar 6, 2024

yuumasato commented Mar 12, 2024

yuumasato commented Mar 15, 2024

This comment was marked as duplicate.

GroceryBoyJr left a comment

Choose a reason for hiding this comment

openshift-ci bot commented Apr 8, 2024

openshift-ci bot commented Apr 8, 2024

yuumasato commented Feb 29, 2024 •

edited

Loading

yuumasato Mar 7, 2024 •

edited

Loading